xref: /openbmc/linux/net/sunrpc/auth_gss/auth_gss.c (revision e5bd61e8)
1 // SPDX-License-Identifier: BSD-3-Clause
2 /*
3  * linux/net/sunrpc/auth_gss/auth_gss.c
4  *
5  * RPCSEC_GSS client authentication.
6  *
7  *  Copyright (c) 2000 The Regents of the University of Michigan.
8  *  All rights reserved.
9  *
10  *  Dug Song       <dugsong@monkey.org>
11  *  Andy Adamson   <andros@umich.edu>
12  */
13 
14 #include <linux/module.h>
15 #include <linux/init.h>
16 #include <linux/types.h>
17 #include <linux/slab.h>
18 #include <linux/sched.h>
19 #include <linux/pagemap.h>
20 #include <linux/sunrpc/clnt.h>
21 #include <linux/sunrpc/auth.h>
22 #include <linux/sunrpc/auth_gss.h>
23 #include <linux/sunrpc/gss_krb5.h>
24 #include <linux/sunrpc/svcauth_gss.h>
25 #include <linux/sunrpc/gss_err.h>
26 #include <linux/workqueue.h>
27 #include <linux/sunrpc/rpc_pipe_fs.h>
28 #include <linux/sunrpc/gss_api.h>
29 #include <linux/uaccess.h>
30 #include <linux/hashtable.h>
31 
32 #include "auth_gss_internal.h"
33 #include "../netns.h"
34 
35 #include <trace/events/rpcgss.h>
36 
37 static const struct rpc_authops authgss_ops;
38 
39 static const struct rpc_credops gss_credops;
40 static const struct rpc_credops gss_nullops;
41 
42 #define GSS_RETRY_EXPIRED 5
43 static unsigned int gss_expired_cred_retry_delay = GSS_RETRY_EXPIRED;
44 
45 #define GSS_KEY_EXPIRE_TIMEO 240
46 static unsigned int gss_key_expire_timeo = GSS_KEY_EXPIRE_TIMEO;
47 
48 #if IS_ENABLED(CONFIG_SUNRPC_DEBUG)
49 # define RPCDBG_FACILITY	RPCDBG_AUTH
50 #endif
51 
52 #define GSS_CRED_SLACK		(RPC_MAX_AUTH_SIZE * 2)
53 /* length of a krb5 verifier (48), plus data added before arguments when
54  * using integrity (two 4-byte integers): */
55 #define GSS_VERF_SLACK		100
56 
57 static DEFINE_HASHTABLE(gss_auth_hash_table, 4);
58 static DEFINE_SPINLOCK(gss_auth_hash_lock);
59 
60 struct gss_pipe {
61 	struct rpc_pipe_dir_object pdo;
62 	struct rpc_pipe *pipe;
63 	struct rpc_clnt *clnt;
64 	const char *name;
65 	struct kref kref;
66 };
67 
68 struct gss_auth {
69 	struct kref kref;
70 	struct hlist_node hash;
71 	struct rpc_auth rpc_auth;
72 	struct gss_api_mech *mech;
73 	enum rpc_gss_svc service;
74 	struct rpc_clnt *client;
75 	struct net *net;
76 	/*
77 	 * There are two upcall pipes; dentry[1], named "gssd", is used
78 	 * for the new text-based upcall; dentry[0] is named after the
79 	 * mechanism (for example, "krb5") and exists for
80 	 * backwards-compatibility with older gssd's.
81 	 */
82 	struct gss_pipe *gss_pipe[2];
83 	const char *target_name;
84 };
85 
86 /* pipe_version >= 0 if and only if someone has a pipe open. */
87 static DEFINE_SPINLOCK(pipe_version_lock);
88 static struct rpc_wait_queue pipe_version_rpc_waitqueue;
89 static DECLARE_WAIT_QUEUE_HEAD(pipe_version_waitqueue);
90 static void gss_put_auth(struct gss_auth *gss_auth);
91 
92 static void gss_free_ctx(struct gss_cl_ctx *);
93 static const struct rpc_pipe_ops gss_upcall_ops_v0;
94 static const struct rpc_pipe_ops gss_upcall_ops_v1;
95 
96 static inline struct gss_cl_ctx *
97 gss_get_ctx(struct gss_cl_ctx *ctx)
98 {
99 	refcount_inc(&ctx->count);
100 	return ctx;
101 }
102 
103 static inline void
104 gss_put_ctx(struct gss_cl_ctx *ctx)
105 {
106 	if (refcount_dec_and_test(&ctx->count))
107 		gss_free_ctx(ctx);
108 }
109 
110 /* gss_cred_set_ctx:
111  * called by gss_upcall_callback and gss_create_upcall in order
112  * to set the gss context. The actual exchange of an old context
113  * and a new one is protected by the pipe->lock.
114  */
115 static void
116 gss_cred_set_ctx(struct rpc_cred *cred, struct gss_cl_ctx *ctx)
117 {
118 	struct gss_cred *gss_cred = container_of(cred, struct gss_cred, gc_base);
119 
120 	if (!test_bit(RPCAUTH_CRED_NEW, &cred->cr_flags))
121 		return;
122 	gss_get_ctx(ctx);
123 	rcu_assign_pointer(gss_cred->gc_ctx, ctx);
124 	set_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags);
125 	smp_mb__before_atomic();
126 	clear_bit(RPCAUTH_CRED_NEW, &cred->cr_flags);
127 }
128 
129 static struct gss_cl_ctx *
130 gss_cred_get_ctx(struct rpc_cred *cred)
131 {
132 	struct gss_cred *gss_cred = container_of(cred, struct gss_cred, gc_base);
133 	struct gss_cl_ctx *ctx = NULL;
134 
135 	rcu_read_lock();
136 	ctx = rcu_dereference(gss_cred->gc_ctx);
137 	if (ctx)
138 		gss_get_ctx(ctx);
139 	rcu_read_unlock();
140 	return ctx;
141 }
142 
143 static struct gss_cl_ctx *
144 gss_alloc_context(void)
145 {
146 	struct gss_cl_ctx *ctx;
147 
148 	ctx = kzalloc(sizeof(*ctx), GFP_NOFS);
149 	if (ctx != NULL) {
150 		ctx->gc_proc = RPC_GSS_PROC_DATA;
151 		ctx->gc_seq = 1;	/* NetApp 6.4R1 doesn't accept seq. no. 0 */
152 		spin_lock_init(&ctx->gc_seq_lock);
153 		refcount_set(&ctx->count,1);
154 	}
155 	return ctx;
156 }
157 
158 #define GSSD_MIN_TIMEOUT (60 * 60)
159 static const void *
160 gss_fill_context(const void *p, const void *end, struct gss_cl_ctx *ctx, struct gss_api_mech *gm)
161 {
162 	const void *q;
163 	unsigned int seclen;
164 	unsigned int timeout;
165 	unsigned long now = jiffies;
166 	u32 window_size;
167 	int ret;
168 
169 	/* First unsigned int gives the remaining lifetime in seconds of the
170 	 * credential - e.g. the remaining TGT lifetime for Kerberos or
171 	 * the -t value passed to GSSD.
172 	 */
173 	p = simple_get_bytes(p, end, &timeout, sizeof(timeout));
174 	if (IS_ERR(p))
175 		goto err;
176 	if (timeout == 0)
177 		timeout = GSSD_MIN_TIMEOUT;
178 	ctx->gc_expiry = now + ((unsigned long)timeout * HZ);
179 	/* Sequence number window. Determines the maximum number of
180 	 * simultaneous requests
181 	 */
182 	p = simple_get_bytes(p, end, &window_size, sizeof(window_size));
183 	if (IS_ERR(p))
184 		goto err;
185 	ctx->gc_win = window_size;
186 	/* gssd signals an error by passing ctx->gc_win = 0: */
187 	if (ctx->gc_win == 0) {
188 		/*
189 		 * in which case, p points to an error code. Anything other
190 		 * than -EKEYEXPIRED gets converted to -EACCES.
191 		 */
192 		p = simple_get_bytes(p, end, &ret, sizeof(ret));
193 		if (!IS_ERR(p))
194 			p = (ret == -EKEYEXPIRED) ? ERR_PTR(-EKEYEXPIRED) :
195 						    ERR_PTR(-EACCES);
196 		goto err;
197 	}
198 	/* copy the opaque wire context */
199 	p = simple_get_netobj(p, end, &ctx->gc_wire_ctx);
200 	if (IS_ERR(p))
201 		goto err;
202 	/* import the opaque security context */
203 	p  = simple_get_bytes(p, end, &seclen, sizeof(seclen));
204 	if (IS_ERR(p))
205 		goto err;
206 	q = (const void *)((const char *)p + seclen);
207 	if (unlikely(q > end || q < p)) {
208 		p = ERR_PTR(-EFAULT);
209 		goto err;
210 	}
211 	ret = gss_import_sec_context(p, seclen, gm, &ctx->gc_gss_ctx, NULL, GFP_NOFS);
212 	if (ret < 0) {
213 		trace_rpcgss_import_ctx(ret);
214 		p = ERR_PTR(ret);
215 		goto err;
216 	}
217 
218 	/* is there any trailing data? */
219 	if (q == end) {
220 		p = q;
221 		goto done;
222 	}
223 
224 	/* pull in acceptor name (if there is one) */
225 	p = simple_get_netobj(q, end, &ctx->gc_acceptor);
226 	if (IS_ERR(p))
227 		goto err;
228 done:
229 	trace_rpcgss_context(window_size, ctx->gc_expiry, now, timeout,
230 			     ctx->gc_acceptor.len, ctx->gc_acceptor.data);
231 err:
232 	return p;
233 }
234 
235 /* XXX: Need some documentation about why UPCALL_BUF_LEN is so small.
236  *	Is user space expecting no more than UPCALL_BUF_LEN bytes?
237  *	Note that there are now _two_ NI_MAXHOST sized data items
238  *	being passed in this string.
239  */
240 #define UPCALL_BUF_LEN	256
241 
242 struct gss_upcall_msg {
243 	refcount_t count;
244 	kuid_t	uid;
245 	const char *service_name;
246 	struct rpc_pipe_msg msg;
247 	struct list_head list;
248 	struct gss_auth *auth;
249 	struct rpc_pipe *pipe;
250 	struct rpc_wait_queue rpc_waitqueue;
251 	wait_queue_head_t waitqueue;
252 	struct gss_cl_ctx *ctx;
253 	char databuf[UPCALL_BUF_LEN];
254 };
255 
256 static int get_pipe_version(struct net *net)
257 {
258 	struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
259 	int ret;
260 
261 	spin_lock(&pipe_version_lock);
262 	if (sn->pipe_version >= 0) {
263 		atomic_inc(&sn->pipe_users);
264 		ret = sn->pipe_version;
265 	} else
266 		ret = -EAGAIN;
267 	spin_unlock(&pipe_version_lock);
268 	return ret;
269 }
270 
271 static void put_pipe_version(struct net *net)
272 {
273 	struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
274 
275 	if (atomic_dec_and_lock(&sn->pipe_users, &pipe_version_lock)) {
276 		sn->pipe_version = -1;
277 		spin_unlock(&pipe_version_lock);
278 	}
279 }
280 
281 static void
282 gss_release_msg(struct gss_upcall_msg *gss_msg)
283 {
284 	struct net *net = gss_msg->auth->net;
285 	if (!refcount_dec_and_test(&gss_msg->count))
286 		return;
287 	put_pipe_version(net);
288 	BUG_ON(!list_empty(&gss_msg->list));
289 	if (gss_msg->ctx != NULL)
290 		gss_put_ctx(gss_msg->ctx);
291 	rpc_destroy_wait_queue(&gss_msg->rpc_waitqueue);
292 	gss_put_auth(gss_msg->auth);
293 	kfree_const(gss_msg->service_name);
294 	kfree(gss_msg);
295 }
296 
297 static struct gss_upcall_msg *
298 __gss_find_upcall(struct rpc_pipe *pipe, kuid_t uid, const struct gss_auth *auth)
299 {
300 	struct gss_upcall_msg *pos;
301 	list_for_each_entry(pos, &pipe->in_downcall, list) {
302 		if (!uid_eq(pos->uid, uid))
303 			continue;
304 		if (auth && pos->auth->service != auth->service)
305 			continue;
306 		refcount_inc(&pos->count);
307 		return pos;
308 	}
309 	return NULL;
310 }
311 
312 /* Try to add an upcall to the pipefs queue.
313  * If an upcall owned by our uid already exists, then we return a reference
314  * to that upcall instead of adding the new upcall.
315  */
316 static inline struct gss_upcall_msg *
317 gss_add_msg(struct gss_upcall_msg *gss_msg)
318 {
319 	struct rpc_pipe *pipe = gss_msg->pipe;
320 	struct gss_upcall_msg *old;
321 
322 	spin_lock(&pipe->lock);
323 	old = __gss_find_upcall(pipe, gss_msg->uid, gss_msg->auth);
324 	if (old == NULL) {
325 		refcount_inc(&gss_msg->count);
326 		list_add(&gss_msg->list, &pipe->in_downcall);
327 	} else
328 		gss_msg = old;
329 	spin_unlock(&pipe->lock);
330 	return gss_msg;
331 }
332 
333 static void
334 __gss_unhash_msg(struct gss_upcall_msg *gss_msg)
335 {
336 	list_del_init(&gss_msg->list);
337 	rpc_wake_up_status(&gss_msg->rpc_waitqueue, gss_msg->msg.errno);
338 	wake_up_all(&gss_msg->waitqueue);
339 	refcount_dec(&gss_msg->count);
340 }
341 
342 static void
343 gss_unhash_msg(struct gss_upcall_msg *gss_msg)
344 {
345 	struct rpc_pipe *pipe = gss_msg->pipe;
346 
347 	if (list_empty(&gss_msg->list))
348 		return;
349 	spin_lock(&pipe->lock);
350 	if (!list_empty(&gss_msg->list))
351 		__gss_unhash_msg(gss_msg);
352 	spin_unlock(&pipe->lock);
353 }
354 
355 static void
356 gss_handle_downcall_result(struct gss_cred *gss_cred, struct gss_upcall_msg *gss_msg)
357 {
358 	switch (gss_msg->msg.errno) {
359 	case 0:
360 		if (gss_msg->ctx == NULL)
361 			break;
362 		clear_bit(RPCAUTH_CRED_NEGATIVE, &gss_cred->gc_base.cr_flags);
363 		gss_cred_set_ctx(&gss_cred->gc_base, gss_msg->ctx);
364 		break;
365 	case -EKEYEXPIRED:
366 		set_bit(RPCAUTH_CRED_NEGATIVE, &gss_cred->gc_base.cr_flags);
367 	}
368 	gss_cred->gc_upcall_timestamp = jiffies;
369 	gss_cred->gc_upcall = NULL;
370 	rpc_wake_up_status(&gss_msg->rpc_waitqueue, gss_msg->msg.errno);
371 }
372 
373 static void
374 gss_upcall_callback(struct rpc_task *task)
375 {
376 	struct gss_cred *gss_cred = container_of(task->tk_rqstp->rq_cred,
377 			struct gss_cred, gc_base);
378 	struct gss_upcall_msg *gss_msg = gss_cred->gc_upcall;
379 	struct rpc_pipe *pipe = gss_msg->pipe;
380 
381 	spin_lock(&pipe->lock);
382 	gss_handle_downcall_result(gss_cred, gss_msg);
383 	spin_unlock(&pipe->lock);
384 	task->tk_status = gss_msg->msg.errno;
385 	gss_release_msg(gss_msg);
386 }
387 
388 static void gss_encode_v0_msg(struct gss_upcall_msg *gss_msg,
389 			      const struct cred *cred)
390 {
391 	struct user_namespace *userns = cred->user_ns;
392 
393 	uid_t uid = from_kuid_munged(userns, gss_msg->uid);
394 	memcpy(gss_msg->databuf, &uid, sizeof(uid));
395 	gss_msg->msg.data = gss_msg->databuf;
396 	gss_msg->msg.len = sizeof(uid);
397 
398 	BUILD_BUG_ON(sizeof(uid) > sizeof(gss_msg->databuf));
399 }
400 
401 static ssize_t
402 gss_v0_upcall(struct file *file, struct rpc_pipe_msg *msg,
403 		char __user *buf, size_t buflen)
404 {
405 	struct gss_upcall_msg *gss_msg = container_of(msg,
406 						      struct gss_upcall_msg,
407 						      msg);
408 	if (msg->copied == 0)
409 		gss_encode_v0_msg(gss_msg, file->f_cred);
410 	return rpc_pipe_generic_upcall(file, msg, buf, buflen);
411 }
412 
413 static int gss_encode_v1_msg(struct gss_upcall_msg *gss_msg,
414 				const char *service_name,
415 				const char *target_name,
416 				const struct cred *cred)
417 {
418 	struct user_namespace *userns = cred->user_ns;
419 	struct gss_api_mech *mech = gss_msg->auth->mech;
420 	char *p = gss_msg->databuf;
421 	size_t buflen = sizeof(gss_msg->databuf);
422 	int len;
423 
424 	len = scnprintf(p, buflen, "mech=%s uid=%d", mech->gm_name,
425 			from_kuid_munged(userns, gss_msg->uid));
426 	buflen -= len;
427 	p += len;
428 	gss_msg->msg.len = len;
429 
430 	/*
431 	 * target= is a full service principal that names the remote
432 	 * identity that we are authenticating to.
433 	 */
434 	if (target_name) {
435 		len = scnprintf(p, buflen, " target=%s", target_name);
436 		buflen -= len;
437 		p += len;
438 		gss_msg->msg.len += len;
439 	}
440 
441 	/*
442 	 * gssd uses service= and srchost= to select a matching key from
443 	 * the system's keytab to use as the source principal.
444 	 *
445 	 * service= is the service name part of the source principal,
446 	 * or "*" (meaning choose any).
447 	 *
448 	 * srchost= is the hostname part of the source principal. When
449 	 * not provided, gssd uses the local hostname.
450 	 */
451 	if (service_name) {
452 		char *c = strchr(service_name, '@');
453 
454 		if (!c)
455 			len = scnprintf(p, buflen, " service=%s",
456 					service_name);
457 		else
458 			len = scnprintf(p, buflen,
459 					" service=%.*s srchost=%s",
460 					(int)(c - service_name),
461 					service_name, c + 1);
462 		buflen -= len;
463 		p += len;
464 		gss_msg->msg.len += len;
465 	}
466 
467 	if (mech->gm_upcall_enctypes) {
468 		len = scnprintf(p, buflen, " enctypes=%s",
469 				mech->gm_upcall_enctypes);
470 		buflen -= len;
471 		p += len;
472 		gss_msg->msg.len += len;
473 	}
474 	trace_rpcgss_upcall_msg(gss_msg->databuf);
475 	len = scnprintf(p, buflen, "\n");
476 	if (len == 0)
477 		goto out_overflow;
478 	gss_msg->msg.len += len;
479 	gss_msg->msg.data = gss_msg->databuf;
480 	return 0;
481 out_overflow:
482 	WARN_ON_ONCE(1);
483 	return -ENOMEM;
484 }
485 
486 static ssize_t
487 gss_v1_upcall(struct file *file, struct rpc_pipe_msg *msg,
488 		char __user *buf, size_t buflen)
489 {
490 	struct gss_upcall_msg *gss_msg = container_of(msg,
491 						      struct gss_upcall_msg,
492 						      msg);
493 	int err;
494 	if (msg->copied == 0) {
495 		err = gss_encode_v1_msg(gss_msg,
496 					gss_msg->service_name,
497 					gss_msg->auth->target_name,
498 					file->f_cred);
499 		if (err)
500 			return err;
501 	}
502 	return rpc_pipe_generic_upcall(file, msg, buf, buflen);
503 }
504 
505 static struct gss_upcall_msg *
506 gss_alloc_msg(struct gss_auth *gss_auth,
507 		kuid_t uid, const char *service_name)
508 {
509 	struct gss_upcall_msg *gss_msg;
510 	int vers;
511 	int err = -ENOMEM;
512 
513 	gss_msg = kzalloc(sizeof(*gss_msg), GFP_NOFS);
514 	if (gss_msg == NULL)
515 		goto err;
516 	vers = get_pipe_version(gss_auth->net);
517 	err = vers;
518 	if (err < 0)
519 		goto err_free_msg;
520 	gss_msg->pipe = gss_auth->gss_pipe[vers]->pipe;
521 	INIT_LIST_HEAD(&gss_msg->list);
522 	rpc_init_wait_queue(&gss_msg->rpc_waitqueue, "RPCSEC_GSS upcall waitq");
523 	init_waitqueue_head(&gss_msg->waitqueue);
524 	refcount_set(&gss_msg->count, 1);
525 	gss_msg->uid = uid;
526 	gss_msg->auth = gss_auth;
527 	kref_get(&gss_auth->kref);
528 	if (service_name) {
529 		gss_msg->service_name = kstrdup_const(service_name, GFP_NOFS);
530 		if (!gss_msg->service_name) {
531 			err = -ENOMEM;
532 			goto err_put_pipe_version;
533 		}
534 	}
535 	return gss_msg;
536 err_put_pipe_version:
537 	put_pipe_version(gss_auth->net);
538 err_free_msg:
539 	kfree(gss_msg);
540 err:
541 	return ERR_PTR(err);
542 }
543 
544 static struct gss_upcall_msg *
545 gss_setup_upcall(struct gss_auth *gss_auth, struct rpc_cred *cred)
546 {
547 	struct gss_cred *gss_cred = container_of(cred,
548 			struct gss_cred, gc_base);
549 	struct gss_upcall_msg *gss_new, *gss_msg;
550 	kuid_t uid = cred->cr_cred->fsuid;
551 
552 	gss_new = gss_alloc_msg(gss_auth, uid, gss_cred->gc_principal);
553 	if (IS_ERR(gss_new))
554 		return gss_new;
555 	gss_msg = gss_add_msg(gss_new);
556 	if (gss_msg == gss_new) {
557 		int res;
558 		refcount_inc(&gss_msg->count);
559 		res = rpc_queue_upcall(gss_new->pipe, &gss_new->msg);
560 		if (res) {
561 			gss_unhash_msg(gss_new);
562 			refcount_dec(&gss_msg->count);
563 			gss_release_msg(gss_new);
564 			gss_msg = ERR_PTR(res);
565 		}
566 	} else
567 		gss_release_msg(gss_new);
568 	return gss_msg;
569 }
570 
571 static void warn_gssd(void)
572 {
573 	dprintk("AUTH_GSS upcall failed. Please check user daemon is running.\n");
574 }
575 
576 static inline int
577 gss_refresh_upcall(struct rpc_task *task)
578 {
579 	struct rpc_cred *cred = task->tk_rqstp->rq_cred;
580 	struct gss_auth *gss_auth = container_of(cred->cr_auth,
581 			struct gss_auth, rpc_auth);
582 	struct gss_cred *gss_cred = container_of(cred,
583 			struct gss_cred, gc_base);
584 	struct gss_upcall_msg *gss_msg;
585 	struct rpc_pipe *pipe;
586 	int err = 0;
587 
588 	gss_msg = gss_setup_upcall(gss_auth, cred);
589 	if (PTR_ERR(gss_msg) == -EAGAIN) {
590 		/* XXX: warning on the first, under the assumption we
591 		 * shouldn't normally hit this case on a refresh. */
592 		warn_gssd();
593 		rpc_sleep_on_timeout(&pipe_version_rpc_waitqueue,
594 				task, NULL, jiffies + (15 * HZ));
595 		err = -EAGAIN;
596 		goto out;
597 	}
598 	if (IS_ERR(gss_msg)) {
599 		err = PTR_ERR(gss_msg);
600 		goto out;
601 	}
602 	pipe = gss_msg->pipe;
603 	spin_lock(&pipe->lock);
604 	if (gss_cred->gc_upcall != NULL)
605 		rpc_sleep_on(&gss_cred->gc_upcall->rpc_waitqueue, task, NULL);
606 	else if (gss_msg->ctx == NULL && gss_msg->msg.errno >= 0) {
607 		gss_cred->gc_upcall = gss_msg;
608 		/* gss_upcall_callback will release the reference to gss_upcall_msg */
609 		refcount_inc(&gss_msg->count);
610 		rpc_sleep_on(&gss_msg->rpc_waitqueue, task, gss_upcall_callback);
611 	} else {
612 		gss_handle_downcall_result(gss_cred, gss_msg);
613 		err = gss_msg->msg.errno;
614 	}
615 	spin_unlock(&pipe->lock);
616 	gss_release_msg(gss_msg);
617 out:
618 	trace_rpcgss_upcall_result(from_kuid(&init_user_ns,
619 					     cred->cr_cred->fsuid), err);
620 	return err;
621 }
622 
623 static inline int
624 gss_create_upcall(struct gss_auth *gss_auth, struct gss_cred *gss_cred)
625 {
626 	struct net *net = gss_auth->net;
627 	struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
628 	struct rpc_pipe *pipe;
629 	struct rpc_cred *cred = &gss_cred->gc_base;
630 	struct gss_upcall_msg *gss_msg;
631 	DEFINE_WAIT(wait);
632 	int err;
633 
634 retry:
635 	err = 0;
636 	/* if gssd is down, just skip upcalling altogether */
637 	if (!gssd_running(net)) {
638 		warn_gssd();
639 		err = -EACCES;
640 		goto out;
641 	}
642 	gss_msg = gss_setup_upcall(gss_auth, cred);
643 	if (PTR_ERR(gss_msg) == -EAGAIN) {
644 		err = wait_event_interruptible_timeout(pipe_version_waitqueue,
645 				sn->pipe_version >= 0, 15 * HZ);
646 		if (sn->pipe_version < 0) {
647 			warn_gssd();
648 			err = -EACCES;
649 		}
650 		if (err < 0)
651 			goto out;
652 		goto retry;
653 	}
654 	if (IS_ERR(gss_msg)) {
655 		err = PTR_ERR(gss_msg);
656 		goto out;
657 	}
658 	pipe = gss_msg->pipe;
659 	for (;;) {
660 		prepare_to_wait(&gss_msg->waitqueue, &wait, TASK_KILLABLE);
661 		spin_lock(&pipe->lock);
662 		if (gss_msg->ctx != NULL || gss_msg->msg.errno < 0) {
663 			break;
664 		}
665 		spin_unlock(&pipe->lock);
666 		if (fatal_signal_pending(current)) {
667 			err = -ERESTARTSYS;
668 			goto out_intr;
669 		}
670 		schedule();
671 	}
672 	if (gss_msg->ctx) {
673 		trace_rpcgss_ctx_init(gss_cred);
674 		gss_cred_set_ctx(cred, gss_msg->ctx);
675 	} else {
676 		err = gss_msg->msg.errno;
677 	}
678 	spin_unlock(&pipe->lock);
679 out_intr:
680 	finish_wait(&gss_msg->waitqueue, &wait);
681 	gss_release_msg(gss_msg);
682 out:
683 	trace_rpcgss_upcall_result(from_kuid(&init_user_ns,
684 					     cred->cr_cred->fsuid), err);
685 	return err;
686 }
687 
688 #define MSG_BUF_MAXSIZE 1024
689 
690 static ssize_t
691 gss_pipe_downcall(struct file *filp, const char __user *src, size_t mlen)
692 {
693 	const void *p, *end;
694 	void *buf;
695 	struct gss_upcall_msg *gss_msg;
696 	struct rpc_pipe *pipe = RPC_I(file_inode(filp))->pipe;
697 	struct gss_cl_ctx *ctx;
698 	uid_t id;
699 	kuid_t uid;
700 	ssize_t err = -EFBIG;
701 
702 	if (mlen > MSG_BUF_MAXSIZE)
703 		goto out;
704 	err = -ENOMEM;
705 	buf = kmalloc(mlen, GFP_NOFS);
706 	if (!buf)
707 		goto out;
708 
709 	err = -EFAULT;
710 	if (copy_from_user(buf, src, mlen))
711 		goto err;
712 
713 	end = (const void *)((char *)buf + mlen);
714 	p = simple_get_bytes(buf, end, &id, sizeof(id));
715 	if (IS_ERR(p)) {
716 		err = PTR_ERR(p);
717 		goto err;
718 	}
719 
720 	uid = make_kuid(current_user_ns(), id);
721 	if (!uid_valid(uid)) {
722 		err = -EINVAL;
723 		goto err;
724 	}
725 
726 	err = -ENOMEM;
727 	ctx = gss_alloc_context();
728 	if (ctx == NULL)
729 		goto err;
730 
731 	err = -ENOENT;
732 	/* Find a matching upcall */
733 	spin_lock(&pipe->lock);
734 	gss_msg = __gss_find_upcall(pipe, uid, NULL);
735 	if (gss_msg == NULL) {
736 		spin_unlock(&pipe->lock);
737 		goto err_put_ctx;
738 	}
739 	list_del_init(&gss_msg->list);
740 	spin_unlock(&pipe->lock);
741 
742 	p = gss_fill_context(p, end, ctx, gss_msg->auth->mech);
743 	if (IS_ERR(p)) {
744 		err = PTR_ERR(p);
745 		switch (err) {
746 		case -EACCES:
747 		case -EKEYEXPIRED:
748 			gss_msg->msg.errno = err;
749 			err = mlen;
750 			break;
751 		case -EFAULT:
752 		case -ENOMEM:
753 		case -EINVAL:
754 		case -ENOSYS:
755 			gss_msg->msg.errno = -EAGAIN;
756 			break;
757 		default:
758 			printk(KERN_CRIT "%s: bad return from "
759 				"gss_fill_context: %zd\n", __func__, err);
760 			gss_msg->msg.errno = -EIO;
761 		}
762 		goto err_release_msg;
763 	}
764 	gss_msg->ctx = gss_get_ctx(ctx);
765 	err = mlen;
766 
767 err_release_msg:
768 	spin_lock(&pipe->lock);
769 	__gss_unhash_msg(gss_msg);
770 	spin_unlock(&pipe->lock);
771 	gss_release_msg(gss_msg);
772 err_put_ctx:
773 	gss_put_ctx(ctx);
774 err:
775 	kfree(buf);
776 out:
777 	return err;
778 }
779 
780 static int gss_pipe_open(struct inode *inode, int new_version)
781 {
782 	struct net *net = inode->i_sb->s_fs_info;
783 	struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
784 	int ret = 0;
785 
786 	spin_lock(&pipe_version_lock);
787 	if (sn->pipe_version < 0) {
788 		/* First open of any gss pipe determines the version: */
789 		sn->pipe_version = new_version;
790 		rpc_wake_up(&pipe_version_rpc_waitqueue);
791 		wake_up(&pipe_version_waitqueue);
792 	} else if (sn->pipe_version != new_version) {
793 		/* Trying to open a pipe of a different version */
794 		ret = -EBUSY;
795 		goto out;
796 	}
797 	atomic_inc(&sn->pipe_users);
798 out:
799 	spin_unlock(&pipe_version_lock);
800 	return ret;
801 
802 }
803 
804 static int gss_pipe_open_v0(struct inode *inode)
805 {
806 	return gss_pipe_open(inode, 0);
807 }
808 
809 static int gss_pipe_open_v1(struct inode *inode)
810 {
811 	return gss_pipe_open(inode, 1);
812 }
813 
814 static void
815 gss_pipe_release(struct inode *inode)
816 {
817 	struct net *net = inode->i_sb->s_fs_info;
818 	struct rpc_pipe *pipe = RPC_I(inode)->pipe;
819 	struct gss_upcall_msg *gss_msg;
820 
821 restart:
822 	spin_lock(&pipe->lock);
823 	list_for_each_entry(gss_msg, &pipe->in_downcall, list) {
824 
825 		if (!list_empty(&gss_msg->msg.list))
826 			continue;
827 		gss_msg->msg.errno = -EPIPE;
828 		refcount_inc(&gss_msg->count);
829 		__gss_unhash_msg(gss_msg);
830 		spin_unlock(&pipe->lock);
831 		gss_release_msg(gss_msg);
832 		goto restart;
833 	}
834 	spin_unlock(&pipe->lock);
835 
836 	put_pipe_version(net);
837 }
838 
839 static void
840 gss_pipe_destroy_msg(struct rpc_pipe_msg *msg)
841 {
842 	struct gss_upcall_msg *gss_msg = container_of(msg, struct gss_upcall_msg, msg);
843 
844 	if (msg->errno < 0) {
845 		refcount_inc(&gss_msg->count);
846 		gss_unhash_msg(gss_msg);
847 		if (msg->errno == -ETIMEDOUT)
848 			warn_gssd();
849 		gss_release_msg(gss_msg);
850 	}
851 	gss_release_msg(gss_msg);
852 }
853 
854 static void gss_pipe_dentry_destroy(struct dentry *dir,
855 		struct rpc_pipe_dir_object *pdo)
856 {
857 	struct gss_pipe *gss_pipe = pdo->pdo_data;
858 	struct rpc_pipe *pipe = gss_pipe->pipe;
859 
860 	if (pipe->dentry != NULL) {
861 		rpc_unlink(pipe->dentry);
862 		pipe->dentry = NULL;
863 	}
864 }
865 
866 static int gss_pipe_dentry_create(struct dentry *dir,
867 		struct rpc_pipe_dir_object *pdo)
868 {
869 	struct gss_pipe *p = pdo->pdo_data;
870 	struct dentry *dentry;
871 
872 	dentry = rpc_mkpipe_dentry(dir, p->name, p->clnt, p->pipe);
873 	if (IS_ERR(dentry))
874 		return PTR_ERR(dentry);
875 	p->pipe->dentry = dentry;
876 	return 0;
877 }
878 
879 static const struct rpc_pipe_dir_object_ops gss_pipe_dir_object_ops = {
880 	.create = gss_pipe_dentry_create,
881 	.destroy = gss_pipe_dentry_destroy,
882 };
883 
884 static struct gss_pipe *gss_pipe_alloc(struct rpc_clnt *clnt,
885 		const char *name,
886 		const struct rpc_pipe_ops *upcall_ops)
887 {
888 	struct gss_pipe *p;
889 	int err = -ENOMEM;
890 
891 	p = kmalloc(sizeof(*p), GFP_KERNEL);
892 	if (p == NULL)
893 		goto err;
894 	p->pipe = rpc_mkpipe_data(upcall_ops, RPC_PIPE_WAIT_FOR_OPEN);
895 	if (IS_ERR(p->pipe)) {
896 		err = PTR_ERR(p->pipe);
897 		goto err_free_gss_pipe;
898 	}
899 	p->name = name;
900 	p->clnt = clnt;
901 	kref_init(&p->kref);
902 	rpc_init_pipe_dir_object(&p->pdo,
903 			&gss_pipe_dir_object_ops,
904 			p);
905 	return p;
906 err_free_gss_pipe:
907 	kfree(p);
908 err:
909 	return ERR_PTR(err);
910 }
911 
912 struct gss_alloc_pdo {
913 	struct rpc_clnt *clnt;
914 	const char *name;
915 	const struct rpc_pipe_ops *upcall_ops;
916 };
917 
918 static int gss_pipe_match_pdo(struct rpc_pipe_dir_object *pdo, void *data)
919 {
920 	struct gss_pipe *gss_pipe;
921 	struct gss_alloc_pdo *args = data;
922 
923 	if (pdo->pdo_ops != &gss_pipe_dir_object_ops)
924 		return 0;
925 	gss_pipe = container_of(pdo, struct gss_pipe, pdo);
926 	if (strcmp(gss_pipe->name, args->name) != 0)
927 		return 0;
928 	if (!kref_get_unless_zero(&gss_pipe->kref))
929 		return 0;
930 	return 1;
931 }
932 
933 static struct rpc_pipe_dir_object *gss_pipe_alloc_pdo(void *data)
934 {
935 	struct gss_pipe *gss_pipe;
936 	struct gss_alloc_pdo *args = data;
937 
938 	gss_pipe = gss_pipe_alloc(args->clnt, args->name, args->upcall_ops);
939 	if (!IS_ERR(gss_pipe))
940 		return &gss_pipe->pdo;
941 	return NULL;
942 }
943 
944 static struct gss_pipe *gss_pipe_get(struct rpc_clnt *clnt,
945 		const char *name,
946 		const struct rpc_pipe_ops *upcall_ops)
947 {
948 	struct net *net = rpc_net_ns(clnt);
949 	struct rpc_pipe_dir_object *pdo;
950 	struct gss_alloc_pdo args = {
951 		.clnt = clnt,
952 		.name = name,
953 		.upcall_ops = upcall_ops,
954 	};
955 
956 	pdo = rpc_find_or_alloc_pipe_dir_object(net,
957 			&clnt->cl_pipedir_objects,
958 			gss_pipe_match_pdo,
959 			gss_pipe_alloc_pdo,
960 			&args);
961 	if (pdo != NULL)
962 		return container_of(pdo, struct gss_pipe, pdo);
963 	return ERR_PTR(-ENOMEM);
964 }
965 
966 static void __gss_pipe_free(struct gss_pipe *p)
967 {
968 	struct rpc_clnt *clnt = p->clnt;
969 	struct net *net = rpc_net_ns(clnt);
970 
971 	rpc_remove_pipe_dir_object(net,
972 			&clnt->cl_pipedir_objects,
973 			&p->pdo);
974 	rpc_destroy_pipe_data(p->pipe);
975 	kfree(p);
976 }
977 
978 static void __gss_pipe_release(struct kref *kref)
979 {
980 	struct gss_pipe *p = container_of(kref, struct gss_pipe, kref);
981 
982 	__gss_pipe_free(p);
983 }
984 
985 static void gss_pipe_free(struct gss_pipe *p)
986 {
987 	if (p != NULL)
988 		kref_put(&p->kref, __gss_pipe_release);
989 }
990 
991 /*
992  * NOTE: we have the opportunity to use different
993  * parameters based on the input flavor (which must be a pseudoflavor)
994  */
995 static struct gss_auth *
996 gss_create_new(const struct rpc_auth_create_args *args, struct rpc_clnt *clnt)
997 {
998 	rpc_authflavor_t flavor = args->pseudoflavor;
999 	struct gss_auth *gss_auth;
1000 	struct gss_pipe *gss_pipe;
1001 	struct rpc_auth * auth;
1002 	int err = -ENOMEM; /* XXX? */
1003 
1004 	if (!try_module_get(THIS_MODULE))
1005 		return ERR_PTR(err);
1006 	if (!(gss_auth = kmalloc(sizeof(*gss_auth), GFP_KERNEL)))
1007 		goto out_dec;
1008 	INIT_HLIST_NODE(&gss_auth->hash);
1009 	gss_auth->target_name = NULL;
1010 	if (args->target_name) {
1011 		gss_auth->target_name = kstrdup(args->target_name, GFP_KERNEL);
1012 		if (gss_auth->target_name == NULL)
1013 			goto err_free;
1014 	}
1015 	gss_auth->client = clnt;
1016 	gss_auth->net = get_net(rpc_net_ns(clnt));
1017 	err = -EINVAL;
1018 	gss_auth->mech = gss_mech_get_by_pseudoflavor(flavor);
1019 	if (!gss_auth->mech)
1020 		goto err_put_net;
1021 	gss_auth->service = gss_pseudoflavor_to_service(gss_auth->mech, flavor);
1022 	if (gss_auth->service == 0)
1023 		goto err_put_mech;
1024 	if (!gssd_running(gss_auth->net))
1025 		goto err_put_mech;
1026 	auth = &gss_auth->rpc_auth;
1027 	auth->au_cslack = GSS_CRED_SLACK >> 2;
1028 	auth->au_rslack = GSS_KRB5_MAX_SLACK_NEEDED >> 2;
1029 	auth->au_verfsize = GSS_VERF_SLACK >> 2;
1030 	auth->au_ralign = GSS_VERF_SLACK >> 2;
1031 	__set_bit(RPCAUTH_AUTH_UPDATE_SLACK, &auth->au_flags);
1032 	auth->au_ops = &authgss_ops;
1033 	auth->au_flavor = flavor;
1034 	if (gss_pseudoflavor_to_datatouch(gss_auth->mech, flavor))
1035 		__set_bit(RPCAUTH_AUTH_DATATOUCH, &auth->au_flags);
1036 	refcount_set(&auth->au_count, 1);
1037 	kref_init(&gss_auth->kref);
1038 
1039 	err = rpcauth_init_credcache(auth);
1040 	if (err)
1041 		goto err_put_mech;
1042 	/*
1043 	 * Note: if we created the old pipe first, then someone who
1044 	 * examined the directory at the right moment might conclude
1045 	 * that we supported only the old pipe.  So we instead create
1046 	 * the new pipe first.
1047 	 */
1048 	gss_pipe = gss_pipe_get(clnt, "gssd", &gss_upcall_ops_v1);
1049 	if (IS_ERR(gss_pipe)) {
1050 		err = PTR_ERR(gss_pipe);
1051 		goto err_destroy_credcache;
1052 	}
1053 	gss_auth->gss_pipe[1] = gss_pipe;
1054 
1055 	gss_pipe = gss_pipe_get(clnt, gss_auth->mech->gm_name,
1056 			&gss_upcall_ops_v0);
1057 	if (IS_ERR(gss_pipe)) {
1058 		err = PTR_ERR(gss_pipe);
1059 		goto err_destroy_pipe_1;
1060 	}
1061 	gss_auth->gss_pipe[0] = gss_pipe;
1062 
1063 	return gss_auth;
1064 err_destroy_pipe_1:
1065 	gss_pipe_free(gss_auth->gss_pipe[1]);
1066 err_destroy_credcache:
1067 	rpcauth_destroy_credcache(auth);
1068 err_put_mech:
1069 	gss_mech_put(gss_auth->mech);
1070 err_put_net:
1071 	put_net(gss_auth->net);
1072 err_free:
1073 	kfree(gss_auth->target_name);
1074 	kfree(gss_auth);
1075 out_dec:
1076 	module_put(THIS_MODULE);
1077 	trace_rpcgss_createauth(flavor, err);
1078 	return ERR_PTR(err);
1079 }
1080 
1081 static void
1082 gss_free(struct gss_auth *gss_auth)
1083 {
1084 	gss_pipe_free(gss_auth->gss_pipe[0]);
1085 	gss_pipe_free(gss_auth->gss_pipe[1]);
1086 	gss_mech_put(gss_auth->mech);
1087 	put_net(gss_auth->net);
1088 	kfree(gss_auth->target_name);
1089 
1090 	kfree(gss_auth);
1091 	module_put(THIS_MODULE);
1092 }
1093 
1094 static void
1095 gss_free_callback(struct kref *kref)
1096 {
1097 	struct gss_auth *gss_auth = container_of(kref, struct gss_auth, kref);
1098 
1099 	gss_free(gss_auth);
1100 }
1101 
1102 static void
1103 gss_put_auth(struct gss_auth *gss_auth)
1104 {
1105 	kref_put(&gss_auth->kref, gss_free_callback);
1106 }
1107 
1108 static void
1109 gss_destroy(struct rpc_auth *auth)
1110 {
1111 	struct gss_auth *gss_auth = container_of(auth,
1112 			struct gss_auth, rpc_auth);
1113 
1114 	if (hash_hashed(&gss_auth->hash)) {
1115 		spin_lock(&gss_auth_hash_lock);
1116 		hash_del(&gss_auth->hash);
1117 		spin_unlock(&gss_auth_hash_lock);
1118 	}
1119 
1120 	gss_pipe_free(gss_auth->gss_pipe[0]);
1121 	gss_auth->gss_pipe[0] = NULL;
1122 	gss_pipe_free(gss_auth->gss_pipe[1]);
1123 	gss_auth->gss_pipe[1] = NULL;
1124 	rpcauth_destroy_credcache(auth);
1125 
1126 	gss_put_auth(gss_auth);
1127 }
1128 
1129 /*
1130  * Auths may be shared between rpc clients that were cloned from a
1131  * common client with the same xprt, if they also share the flavor and
1132  * target_name.
1133  *
1134  * The auth is looked up from the oldest parent sharing the same
1135  * cl_xprt, and the auth itself references only that common parent
1136  * (which is guaranteed to last as long as any of its descendants).
1137  */
1138 static struct gss_auth *
1139 gss_auth_find_or_add_hashed(const struct rpc_auth_create_args *args,
1140 		struct rpc_clnt *clnt,
1141 		struct gss_auth *new)
1142 {
1143 	struct gss_auth *gss_auth;
1144 	unsigned long hashval = (unsigned long)clnt;
1145 
1146 	spin_lock(&gss_auth_hash_lock);
1147 	hash_for_each_possible(gss_auth_hash_table,
1148 			gss_auth,
1149 			hash,
1150 			hashval) {
1151 		if (gss_auth->client != clnt)
1152 			continue;
1153 		if (gss_auth->rpc_auth.au_flavor != args->pseudoflavor)
1154 			continue;
1155 		if (gss_auth->target_name != args->target_name) {
1156 			if (gss_auth->target_name == NULL)
1157 				continue;
1158 			if (args->target_name == NULL)
1159 				continue;
1160 			if (strcmp(gss_auth->target_name, args->target_name))
1161 				continue;
1162 		}
1163 		if (!refcount_inc_not_zero(&gss_auth->rpc_auth.au_count))
1164 			continue;
1165 		goto out;
1166 	}
1167 	if (new)
1168 		hash_add(gss_auth_hash_table, &new->hash, hashval);
1169 	gss_auth = new;
1170 out:
1171 	spin_unlock(&gss_auth_hash_lock);
1172 	return gss_auth;
1173 }
1174 
1175 static struct gss_auth *
1176 gss_create_hashed(const struct rpc_auth_create_args *args,
1177 		  struct rpc_clnt *clnt)
1178 {
1179 	struct gss_auth *gss_auth;
1180 	struct gss_auth *new;
1181 
1182 	gss_auth = gss_auth_find_or_add_hashed(args, clnt, NULL);
1183 	if (gss_auth != NULL)
1184 		goto out;
1185 	new = gss_create_new(args, clnt);
1186 	if (IS_ERR(new))
1187 		return new;
1188 	gss_auth = gss_auth_find_or_add_hashed(args, clnt, new);
1189 	if (gss_auth != new)
1190 		gss_destroy(&new->rpc_auth);
1191 out:
1192 	return gss_auth;
1193 }
1194 
1195 static struct rpc_auth *
1196 gss_create(const struct rpc_auth_create_args *args, struct rpc_clnt *clnt)
1197 {
1198 	struct gss_auth *gss_auth;
1199 	struct rpc_xprt_switch *xps = rcu_access_pointer(clnt->cl_xpi.xpi_xpswitch);
1200 
1201 	while (clnt != clnt->cl_parent) {
1202 		struct rpc_clnt *parent = clnt->cl_parent;
1203 		/* Find the original parent for this transport */
1204 		if (rcu_access_pointer(parent->cl_xpi.xpi_xpswitch) != xps)
1205 			break;
1206 		clnt = parent;
1207 	}
1208 
1209 	gss_auth = gss_create_hashed(args, clnt);
1210 	if (IS_ERR(gss_auth))
1211 		return ERR_CAST(gss_auth);
1212 	return &gss_auth->rpc_auth;
1213 }
1214 
1215 static struct gss_cred *
1216 gss_dup_cred(struct gss_auth *gss_auth, struct gss_cred *gss_cred)
1217 {
1218 	struct gss_cred *new;
1219 
1220 	/* Make a copy of the cred so that we can reference count it */
1221 	new = kzalloc(sizeof(*gss_cred), GFP_NOFS);
1222 	if (new) {
1223 		struct auth_cred acred = {
1224 			.cred = gss_cred->gc_base.cr_cred,
1225 		};
1226 		struct gss_cl_ctx *ctx =
1227 			rcu_dereference_protected(gss_cred->gc_ctx, 1);
1228 
1229 		rpcauth_init_cred(&new->gc_base, &acred,
1230 				&gss_auth->rpc_auth,
1231 				&gss_nullops);
1232 		new->gc_base.cr_flags = 1UL << RPCAUTH_CRED_UPTODATE;
1233 		new->gc_service = gss_cred->gc_service;
1234 		new->gc_principal = gss_cred->gc_principal;
1235 		kref_get(&gss_auth->kref);
1236 		rcu_assign_pointer(new->gc_ctx, ctx);
1237 		gss_get_ctx(ctx);
1238 	}
1239 	return new;
1240 }
1241 
1242 /*
1243  * gss_send_destroy_context will cause the RPCSEC_GSS to send a NULL RPC call
1244  * to the server with the GSS control procedure field set to
1245  * RPC_GSS_PROC_DESTROY. This should normally cause the server to release
1246  * all RPCSEC_GSS state associated with that context.
1247  */
1248 static void
1249 gss_send_destroy_context(struct rpc_cred *cred)
1250 {
1251 	struct gss_cred *gss_cred = container_of(cred, struct gss_cred, gc_base);
1252 	struct gss_auth *gss_auth = container_of(cred->cr_auth, struct gss_auth, rpc_auth);
1253 	struct gss_cl_ctx *ctx = rcu_dereference_protected(gss_cred->gc_ctx, 1);
1254 	struct gss_cred *new;
1255 	struct rpc_task *task;
1256 
1257 	new = gss_dup_cred(gss_auth, gss_cred);
1258 	if (new) {
1259 		ctx->gc_proc = RPC_GSS_PROC_DESTROY;
1260 
1261 		trace_rpcgss_ctx_destroy(gss_cred);
1262 		task = rpc_call_null(gss_auth->client, &new->gc_base,
1263 				     RPC_TASK_ASYNC);
1264 		if (!IS_ERR(task))
1265 			rpc_put_task(task);
1266 
1267 		put_rpccred(&new->gc_base);
1268 	}
1269 }
1270 
1271 /* gss_destroy_cred (and gss_free_ctx) are used to clean up after failure
1272  * to create a new cred or context, so they check that things have been
1273  * allocated before freeing them. */
1274 static void
1275 gss_do_free_ctx(struct gss_cl_ctx *ctx)
1276 {
1277 	gss_delete_sec_context(&ctx->gc_gss_ctx);
1278 	kfree(ctx->gc_wire_ctx.data);
1279 	kfree(ctx->gc_acceptor.data);
1280 	kfree(ctx);
1281 }
1282 
1283 static void
1284 gss_free_ctx_callback(struct rcu_head *head)
1285 {
1286 	struct gss_cl_ctx *ctx = container_of(head, struct gss_cl_ctx, gc_rcu);
1287 	gss_do_free_ctx(ctx);
1288 }
1289 
1290 static void
1291 gss_free_ctx(struct gss_cl_ctx *ctx)
1292 {
1293 	call_rcu(&ctx->gc_rcu, gss_free_ctx_callback);
1294 }
1295 
1296 static void
1297 gss_free_cred(struct gss_cred *gss_cred)
1298 {
1299 	kfree(gss_cred);
1300 }
1301 
1302 static void
1303 gss_free_cred_callback(struct rcu_head *head)
1304 {
1305 	struct gss_cred *gss_cred = container_of(head, struct gss_cred, gc_base.cr_rcu);
1306 	gss_free_cred(gss_cred);
1307 }
1308 
1309 static void
1310 gss_destroy_nullcred(struct rpc_cred *cred)
1311 {
1312 	struct gss_cred *gss_cred = container_of(cred, struct gss_cred, gc_base);
1313 	struct gss_auth *gss_auth = container_of(cred->cr_auth, struct gss_auth, rpc_auth);
1314 	struct gss_cl_ctx *ctx = rcu_dereference_protected(gss_cred->gc_ctx, 1);
1315 
1316 	RCU_INIT_POINTER(gss_cred->gc_ctx, NULL);
1317 	put_cred(cred->cr_cred);
1318 	call_rcu(&cred->cr_rcu, gss_free_cred_callback);
1319 	if (ctx)
1320 		gss_put_ctx(ctx);
1321 	gss_put_auth(gss_auth);
1322 }
1323 
1324 static void
1325 gss_destroy_cred(struct rpc_cred *cred)
1326 {
1327 	if (test_and_clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags) != 0)
1328 		gss_send_destroy_context(cred);
1329 	gss_destroy_nullcred(cred);
1330 }
1331 
1332 static int
1333 gss_hash_cred(struct auth_cred *acred, unsigned int hashbits)
1334 {
1335 	return hash_64(from_kuid(&init_user_ns, acred->cred->fsuid), hashbits);
1336 }
1337 
1338 /*
1339  * Lookup RPCSEC_GSS cred for the current process
1340  */
1341 static struct rpc_cred *
1342 gss_lookup_cred(struct rpc_auth *auth, struct auth_cred *acred, int flags)
1343 {
1344 	return rpcauth_lookup_credcache(auth, acred, flags, GFP_NOFS);
1345 }
1346 
1347 static struct rpc_cred *
1348 gss_create_cred(struct rpc_auth *auth, struct auth_cred *acred, int flags, gfp_t gfp)
1349 {
1350 	struct gss_auth *gss_auth = container_of(auth, struct gss_auth, rpc_auth);
1351 	struct gss_cred	*cred = NULL;
1352 	int err = -ENOMEM;
1353 
1354 	if (!(cred = kzalloc(sizeof(*cred), gfp)))
1355 		goto out_err;
1356 
1357 	rpcauth_init_cred(&cred->gc_base, acred, auth, &gss_credops);
1358 	/*
1359 	 * Note: in order to force a call to call_refresh(), we deliberately
1360 	 * fail to flag the credential as RPCAUTH_CRED_UPTODATE.
1361 	 */
1362 	cred->gc_base.cr_flags = 1UL << RPCAUTH_CRED_NEW;
1363 	cred->gc_service = gss_auth->service;
1364 	cred->gc_principal = acred->principal;
1365 	kref_get(&gss_auth->kref);
1366 	return &cred->gc_base;
1367 
1368 out_err:
1369 	return ERR_PTR(err);
1370 }
1371 
1372 static int
1373 gss_cred_init(struct rpc_auth *auth, struct rpc_cred *cred)
1374 {
1375 	struct gss_auth *gss_auth = container_of(auth, struct gss_auth, rpc_auth);
1376 	struct gss_cred *gss_cred = container_of(cred,struct gss_cred, gc_base);
1377 	int err;
1378 
1379 	do {
1380 		err = gss_create_upcall(gss_auth, gss_cred);
1381 	} while (err == -EAGAIN);
1382 	return err;
1383 }
1384 
1385 static char *
1386 gss_stringify_acceptor(struct rpc_cred *cred)
1387 {
1388 	char *string = NULL;
1389 	struct gss_cred *gss_cred = container_of(cred, struct gss_cred, gc_base);
1390 	struct gss_cl_ctx *ctx;
1391 	unsigned int len;
1392 	struct xdr_netobj *acceptor;
1393 
1394 	rcu_read_lock();
1395 	ctx = rcu_dereference(gss_cred->gc_ctx);
1396 	if (!ctx)
1397 		goto out;
1398 
1399 	len = ctx->gc_acceptor.len;
1400 	rcu_read_unlock();
1401 
1402 	/* no point if there's no string */
1403 	if (!len)
1404 		return NULL;
1405 realloc:
1406 	string = kmalloc(len + 1, GFP_KERNEL);
1407 	if (!string)
1408 		return NULL;
1409 
1410 	rcu_read_lock();
1411 	ctx = rcu_dereference(gss_cred->gc_ctx);
1412 
1413 	/* did the ctx disappear or was it replaced by one with no acceptor? */
1414 	if (!ctx || !ctx->gc_acceptor.len) {
1415 		kfree(string);
1416 		string = NULL;
1417 		goto out;
1418 	}
1419 
1420 	acceptor = &ctx->gc_acceptor;
1421 
1422 	/*
1423 	 * Did we find a new acceptor that's longer than the original? Allocate
1424 	 * a longer buffer and try again.
1425 	 */
1426 	if (len < acceptor->len) {
1427 		len = acceptor->len;
1428 		rcu_read_unlock();
1429 		kfree(string);
1430 		goto realloc;
1431 	}
1432 
1433 	memcpy(string, acceptor->data, acceptor->len);
1434 	string[acceptor->len] = '\0';
1435 out:
1436 	rcu_read_unlock();
1437 	return string;
1438 }
1439 
1440 /*
1441  * Returns -EACCES if GSS context is NULL or will expire within the
1442  * timeout (miliseconds)
1443  */
1444 static int
1445 gss_key_timeout(struct rpc_cred *rc)
1446 {
1447 	struct gss_cred *gss_cred = container_of(rc, struct gss_cred, gc_base);
1448 	struct gss_cl_ctx *ctx;
1449 	unsigned long timeout = jiffies + (gss_key_expire_timeo * HZ);
1450 	int ret = 0;
1451 
1452 	rcu_read_lock();
1453 	ctx = rcu_dereference(gss_cred->gc_ctx);
1454 	if (!ctx || time_after(timeout, ctx->gc_expiry))
1455 		ret = -EACCES;
1456 	rcu_read_unlock();
1457 
1458 	return ret;
1459 }
1460 
1461 static int
1462 gss_match(struct auth_cred *acred, struct rpc_cred *rc, int flags)
1463 {
1464 	struct gss_cred *gss_cred = container_of(rc, struct gss_cred, gc_base);
1465 	struct gss_cl_ctx *ctx;
1466 	int ret;
1467 
1468 	if (test_bit(RPCAUTH_CRED_NEW, &rc->cr_flags))
1469 		goto out;
1470 	/* Don't match with creds that have expired. */
1471 	rcu_read_lock();
1472 	ctx = rcu_dereference(gss_cred->gc_ctx);
1473 	if (!ctx || time_after(jiffies, ctx->gc_expiry)) {
1474 		rcu_read_unlock();
1475 		return 0;
1476 	}
1477 	rcu_read_unlock();
1478 	if (!test_bit(RPCAUTH_CRED_UPTODATE, &rc->cr_flags))
1479 		return 0;
1480 out:
1481 	if (acred->principal != NULL) {
1482 		if (gss_cred->gc_principal == NULL)
1483 			return 0;
1484 		ret = strcmp(acred->principal, gss_cred->gc_principal) == 0;
1485 	} else {
1486 		if (gss_cred->gc_principal != NULL)
1487 			return 0;
1488 		ret = uid_eq(rc->cr_cred->fsuid, acred->cred->fsuid);
1489 	}
1490 	return ret;
1491 }
1492 
1493 /*
1494  * Marshal credentials.
1495  *
1496  * The expensive part is computing the verifier. We can't cache a
1497  * pre-computed version of the verifier because the seqno, which
1498  * is different every time, is included in the MIC.
1499  */
1500 static int gss_marshal(struct rpc_task *task, struct xdr_stream *xdr)
1501 {
1502 	struct rpc_rqst *req = task->tk_rqstp;
1503 	struct rpc_cred *cred = req->rq_cred;
1504 	struct gss_cred	*gss_cred = container_of(cred, struct gss_cred,
1505 						 gc_base);
1506 	struct gss_cl_ctx	*ctx = gss_cred_get_ctx(cred);
1507 	__be32		*p, *cred_len;
1508 	u32             maj_stat = 0;
1509 	struct xdr_netobj mic;
1510 	struct kvec	iov;
1511 	struct xdr_buf	verf_buf;
1512 	int status;
1513 
1514 	/* Credential */
1515 
1516 	p = xdr_reserve_space(xdr, 7 * sizeof(*p) +
1517 			      ctx->gc_wire_ctx.len);
1518 	if (!p)
1519 		goto marshal_failed;
1520 	*p++ = rpc_auth_gss;
1521 	cred_len = p++;
1522 
1523 	spin_lock(&ctx->gc_seq_lock);
1524 	req->rq_seqno = (ctx->gc_seq < MAXSEQ) ? ctx->gc_seq++ : MAXSEQ;
1525 	spin_unlock(&ctx->gc_seq_lock);
1526 	if (req->rq_seqno == MAXSEQ)
1527 		goto expired;
1528 	trace_rpcgss_seqno(task);
1529 
1530 	*p++ = cpu_to_be32(RPC_GSS_VERSION);
1531 	*p++ = cpu_to_be32(ctx->gc_proc);
1532 	*p++ = cpu_to_be32(req->rq_seqno);
1533 	*p++ = cpu_to_be32(gss_cred->gc_service);
1534 	p = xdr_encode_netobj(p, &ctx->gc_wire_ctx);
1535 	*cred_len = cpu_to_be32((p - (cred_len + 1)) << 2);
1536 
1537 	/* Verifier */
1538 
1539 	/* We compute the checksum for the verifier over the xdr-encoded bytes
1540 	 * starting with the xid and ending at the end of the credential: */
1541 	iov.iov_base = req->rq_snd_buf.head[0].iov_base;
1542 	iov.iov_len = (u8 *)p - (u8 *)iov.iov_base;
1543 	xdr_buf_from_iov(&iov, &verf_buf);
1544 
1545 	p = xdr_reserve_space(xdr, sizeof(*p));
1546 	if (!p)
1547 		goto marshal_failed;
1548 	*p++ = rpc_auth_gss;
1549 	mic.data = (u8 *)(p + 1);
1550 	maj_stat = gss_get_mic(ctx->gc_gss_ctx, &verf_buf, &mic);
1551 	if (maj_stat == GSS_S_CONTEXT_EXPIRED)
1552 		goto expired;
1553 	else if (maj_stat != 0)
1554 		goto bad_mic;
1555 	if (xdr_stream_encode_opaque_inline(xdr, (void **)&p, mic.len) < 0)
1556 		goto marshal_failed;
1557 	status = 0;
1558 out:
1559 	gss_put_ctx(ctx);
1560 	return status;
1561 expired:
1562 	clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags);
1563 	status = -EKEYEXPIRED;
1564 	goto out;
1565 marshal_failed:
1566 	status = -EMSGSIZE;
1567 	goto out;
1568 bad_mic:
1569 	trace_rpcgss_get_mic(task, maj_stat);
1570 	status = -EIO;
1571 	goto out;
1572 }
1573 
1574 static int gss_renew_cred(struct rpc_task *task)
1575 {
1576 	struct rpc_cred *oldcred = task->tk_rqstp->rq_cred;
1577 	struct gss_cred *gss_cred = container_of(oldcred,
1578 						 struct gss_cred,
1579 						 gc_base);
1580 	struct rpc_auth *auth = oldcred->cr_auth;
1581 	struct auth_cred acred = {
1582 		.cred = oldcred->cr_cred,
1583 		.principal = gss_cred->gc_principal,
1584 	};
1585 	struct rpc_cred *new;
1586 
1587 	new = gss_lookup_cred(auth, &acred, RPCAUTH_LOOKUP_NEW);
1588 	if (IS_ERR(new))
1589 		return PTR_ERR(new);
1590 
1591 	task->tk_rqstp->rq_cred = new;
1592 	put_rpccred(oldcred);
1593 	return 0;
1594 }
1595 
1596 static int gss_cred_is_negative_entry(struct rpc_cred *cred)
1597 {
1598 	if (test_bit(RPCAUTH_CRED_NEGATIVE, &cred->cr_flags)) {
1599 		unsigned long now = jiffies;
1600 		unsigned long begin, expire;
1601 		struct gss_cred *gss_cred;
1602 
1603 		gss_cred = container_of(cred, struct gss_cred, gc_base);
1604 		begin = gss_cred->gc_upcall_timestamp;
1605 		expire = begin + gss_expired_cred_retry_delay * HZ;
1606 
1607 		if (time_in_range_open(now, begin, expire))
1608 			return 1;
1609 	}
1610 	return 0;
1611 }
1612 
1613 /*
1614 * Refresh credentials. XXX - finish
1615 */
1616 static int
1617 gss_refresh(struct rpc_task *task)
1618 {
1619 	struct rpc_cred *cred = task->tk_rqstp->rq_cred;
1620 	int ret = 0;
1621 
1622 	if (gss_cred_is_negative_entry(cred))
1623 		return -EKEYEXPIRED;
1624 
1625 	if (!test_bit(RPCAUTH_CRED_NEW, &cred->cr_flags) &&
1626 			!test_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags)) {
1627 		ret = gss_renew_cred(task);
1628 		if (ret < 0)
1629 			goto out;
1630 		cred = task->tk_rqstp->rq_cred;
1631 	}
1632 
1633 	if (test_bit(RPCAUTH_CRED_NEW, &cred->cr_flags))
1634 		ret = gss_refresh_upcall(task);
1635 out:
1636 	return ret;
1637 }
1638 
1639 /* Dummy refresh routine: used only when destroying the context */
1640 static int
1641 gss_refresh_null(struct rpc_task *task)
1642 {
1643 	return 0;
1644 }
1645 
1646 static int
1647 gss_validate(struct rpc_task *task, struct xdr_stream *xdr)
1648 {
1649 	struct rpc_cred *cred = task->tk_rqstp->rq_cred;
1650 	struct gss_cl_ctx *ctx = gss_cred_get_ctx(cred);
1651 	__be32		*p, *seq = NULL;
1652 	struct kvec	iov;
1653 	struct xdr_buf	verf_buf;
1654 	struct xdr_netobj mic;
1655 	u32		len, maj_stat;
1656 	int		status;
1657 
1658 	p = xdr_inline_decode(xdr, 2 * sizeof(*p));
1659 	if (!p)
1660 		goto validate_failed;
1661 	if (*p++ != rpc_auth_gss)
1662 		goto validate_failed;
1663 	len = be32_to_cpup(p);
1664 	if (len > RPC_MAX_AUTH_SIZE)
1665 		goto validate_failed;
1666 	p = xdr_inline_decode(xdr, len);
1667 	if (!p)
1668 		goto validate_failed;
1669 
1670 	seq = kmalloc(4, GFP_NOFS);
1671 	if (!seq)
1672 		goto validate_failed;
1673 	*seq = cpu_to_be32(task->tk_rqstp->rq_seqno);
1674 	iov.iov_base = seq;
1675 	iov.iov_len = 4;
1676 	xdr_buf_from_iov(&iov, &verf_buf);
1677 	mic.data = (u8 *)p;
1678 	mic.len = len;
1679 	maj_stat = gss_verify_mic(ctx->gc_gss_ctx, &verf_buf, &mic);
1680 	if (maj_stat == GSS_S_CONTEXT_EXPIRED)
1681 		clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags);
1682 	if (maj_stat)
1683 		goto bad_mic;
1684 
1685 	/* We leave it to unwrap to calculate au_rslack. For now we just
1686 	 * calculate the length of the verifier: */
1687 	if (test_bit(RPCAUTH_AUTH_UPDATE_SLACK, &cred->cr_auth->au_flags))
1688 		cred->cr_auth->au_verfsize = XDR_QUADLEN(len) + 2;
1689 	status = 0;
1690 out:
1691 	gss_put_ctx(ctx);
1692 	kfree(seq);
1693 	return status;
1694 
1695 validate_failed:
1696 	status = -EIO;
1697 	goto out;
1698 bad_mic:
1699 	trace_rpcgss_verify_mic(task, maj_stat);
1700 	status = -EACCES;
1701 	goto out;
1702 }
1703 
1704 static noinline_for_stack int
1705 gss_wrap_req_integ(struct rpc_cred *cred, struct gss_cl_ctx *ctx,
1706 		   struct rpc_task *task, struct xdr_stream *xdr)
1707 {
1708 	struct rpc_rqst *rqstp = task->tk_rqstp;
1709 	struct xdr_buf integ_buf, *snd_buf = &rqstp->rq_snd_buf;
1710 	struct xdr_netobj mic;
1711 	__be32 *p, *integ_len;
1712 	u32 offset, maj_stat;
1713 
1714 	p = xdr_reserve_space(xdr, 2 * sizeof(*p));
1715 	if (!p)
1716 		goto wrap_failed;
1717 	integ_len = p++;
1718 	*p = cpu_to_be32(rqstp->rq_seqno);
1719 
1720 	if (rpcauth_wrap_req_encode(task, xdr))
1721 		goto wrap_failed;
1722 
1723 	offset = (u8 *)p - (u8 *)snd_buf->head[0].iov_base;
1724 	if (xdr_buf_subsegment(snd_buf, &integ_buf,
1725 				offset, snd_buf->len - offset))
1726 		goto wrap_failed;
1727 	*integ_len = cpu_to_be32(integ_buf.len);
1728 
1729 	p = xdr_reserve_space(xdr, 0);
1730 	if (!p)
1731 		goto wrap_failed;
1732 	mic.data = (u8 *)(p + 1);
1733 	maj_stat = gss_get_mic(ctx->gc_gss_ctx, &integ_buf, &mic);
1734 	if (maj_stat == GSS_S_CONTEXT_EXPIRED)
1735 		clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags);
1736 	else if (maj_stat)
1737 		goto bad_mic;
1738 	/* Check that the trailing MIC fit in the buffer, after the fact */
1739 	if (xdr_stream_encode_opaque_inline(xdr, (void **)&p, mic.len) < 0)
1740 		goto wrap_failed;
1741 	return 0;
1742 wrap_failed:
1743 	return -EMSGSIZE;
1744 bad_mic:
1745 	trace_rpcgss_get_mic(task, maj_stat);
1746 	return -EIO;
1747 }
1748 
1749 static void
1750 priv_release_snd_buf(struct rpc_rqst *rqstp)
1751 {
1752 	int i;
1753 
1754 	for (i=0; i < rqstp->rq_enc_pages_num; i++)
1755 		__free_page(rqstp->rq_enc_pages[i]);
1756 	kfree(rqstp->rq_enc_pages);
1757 	rqstp->rq_release_snd_buf = NULL;
1758 }
1759 
1760 static int
1761 alloc_enc_pages(struct rpc_rqst *rqstp)
1762 {
1763 	struct xdr_buf *snd_buf = &rqstp->rq_snd_buf;
1764 	int first, last, i;
1765 
1766 	if (rqstp->rq_release_snd_buf)
1767 		rqstp->rq_release_snd_buf(rqstp);
1768 
1769 	if (snd_buf->page_len == 0) {
1770 		rqstp->rq_enc_pages_num = 0;
1771 		return 0;
1772 	}
1773 
1774 	first = snd_buf->page_base >> PAGE_SHIFT;
1775 	last = (snd_buf->page_base + snd_buf->page_len - 1) >> PAGE_SHIFT;
1776 	rqstp->rq_enc_pages_num = last - first + 1 + 1;
1777 	rqstp->rq_enc_pages
1778 		= kmalloc_array(rqstp->rq_enc_pages_num,
1779 				sizeof(struct page *),
1780 				GFP_NOFS);
1781 	if (!rqstp->rq_enc_pages)
1782 		goto out;
1783 	for (i=0; i < rqstp->rq_enc_pages_num; i++) {
1784 		rqstp->rq_enc_pages[i] = alloc_page(GFP_NOFS);
1785 		if (rqstp->rq_enc_pages[i] == NULL)
1786 			goto out_free;
1787 	}
1788 	rqstp->rq_release_snd_buf = priv_release_snd_buf;
1789 	return 0;
1790 out_free:
1791 	rqstp->rq_enc_pages_num = i;
1792 	priv_release_snd_buf(rqstp);
1793 out:
1794 	return -EAGAIN;
1795 }
1796 
1797 static noinline_for_stack int
1798 gss_wrap_req_priv(struct rpc_cred *cred, struct gss_cl_ctx *ctx,
1799 		  struct rpc_task *task, struct xdr_stream *xdr)
1800 {
1801 	struct rpc_rqst *rqstp = task->tk_rqstp;
1802 	struct xdr_buf	*snd_buf = &rqstp->rq_snd_buf;
1803 	u32		pad, offset, maj_stat;
1804 	int		status;
1805 	__be32		*p, *opaque_len;
1806 	struct page	**inpages;
1807 	int		first;
1808 	struct kvec	*iov;
1809 
1810 	status = -EIO;
1811 	p = xdr_reserve_space(xdr, 2 * sizeof(*p));
1812 	if (!p)
1813 		goto wrap_failed;
1814 	opaque_len = p++;
1815 	*p = cpu_to_be32(rqstp->rq_seqno);
1816 
1817 	if (rpcauth_wrap_req_encode(task, xdr))
1818 		goto wrap_failed;
1819 
1820 	status = alloc_enc_pages(rqstp);
1821 	if (unlikely(status))
1822 		goto wrap_failed;
1823 	first = snd_buf->page_base >> PAGE_SHIFT;
1824 	inpages = snd_buf->pages + first;
1825 	snd_buf->pages = rqstp->rq_enc_pages;
1826 	snd_buf->page_base -= first << PAGE_SHIFT;
1827 	/*
1828 	 * Move the tail into its own page, in case gss_wrap needs
1829 	 * more space in the head when wrapping.
1830 	 *
1831 	 * Still... Why can't gss_wrap just slide the tail down?
1832 	 */
1833 	if (snd_buf->page_len || snd_buf->tail[0].iov_len) {
1834 		char *tmp;
1835 
1836 		tmp = page_address(rqstp->rq_enc_pages[rqstp->rq_enc_pages_num - 1]);
1837 		memcpy(tmp, snd_buf->tail[0].iov_base, snd_buf->tail[0].iov_len);
1838 		snd_buf->tail[0].iov_base = tmp;
1839 	}
1840 	offset = (u8 *)p - (u8 *)snd_buf->head[0].iov_base;
1841 	maj_stat = gss_wrap(ctx->gc_gss_ctx, offset, snd_buf, inpages);
1842 	/* slack space should prevent this ever happening: */
1843 	if (unlikely(snd_buf->len > snd_buf->buflen))
1844 		goto wrap_failed;
1845 	/* We're assuming that when GSS_S_CONTEXT_EXPIRED, the encryption was
1846 	 * done anyway, so it's safe to put the request on the wire: */
1847 	if (maj_stat == GSS_S_CONTEXT_EXPIRED)
1848 		clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags);
1849 	else if (maj_stat)
1850 		goto bad_wrap;
1851 
1852 	*opaque_len = cpu_to_be32(snd_buf->len - offset);
1853 	/* guess whether the pad goes into the head or the tail: */
1854 	if (snd_buf->page_len || snd_buf->tail[0].iov_len)
1855 		iov = snd_buf->tail;
1856 	else
1857 		iov = snd_buf->head;
1858 	p = iov->iov_base + iov->iov_len;
1859 	pad = xdr_pad_size(snd_buf->len - offset);
1860 	memset(p, 0, pad);
1861 	iov->iov_len += pad;
1862 	snd_buf->len += pad;
1863 
1864 	return 0;
1865 wrap_failed:
1866 	return status;
1867 bad_wrap:
1868 	trace_rpcgss_wrap(task, maj_stat);
1869 	return -EIO;
1870 }
1871 
1872 static int gss_wrap_req(struct rpc_task *task, struct xdr_stream *xdr)
1873 {
1874 	struct rpc_cred *cred = task->tk_rqstp->rq_cred;
1875 	struct gss_cred	*gss_cred = container_of(cred, struct gss_cred,
1876 			gc_base);
1877 	struct gss_cl_ctx *ctx = gss_cred_get_ctx(cred);
1878 	int status;
1879 
1880 	status = -EIO;
1881 	if (ctx->gc_proc != RPC_GSS_PROC_DATA) {
1882 		/* The spec seems a little ambiguous here, but I think that not
1883 		 * wrapping context destruction requests makes the most sense.
1884 		 */
1885 		status = rpcauth_wrap_req_encode(task, xdr);
1886 		goto out;
1887 	}
1888 	switch (gss_cred->gc_service) {
1889 	case RPC_GSS_SVC_NONE:
1890 		status = rpcauth_wrap_req_encode(task, xdr);
1891 		break;
1892 	case RPC_GSS_SVC_INTEGRITY:
1893 		status = gss_wrap_req_integ(cred, ctx, task, xdr);
1894 		break;
1895 	case RPC_GSS_SVC_PRIVACY:
1896 		status = gss_wrap_req_priv(cred, ctx, task, xdr);
1897 		break;
1898 	default:
1899 		status = -EIO;
1900 	}
1901 out:
1902 	gss_put_ctx(ctx);
1903 	return status;
1904 }
1905 
1906 /**
1907  * gss_update_rslack - Possibly update RPC receive buffer size estimates
1908  * @task: rpc_task for incoming RPC Reply being unwrapped
1909  * @cred: controlling rpc_cred for @task
1910  * @before: XDR words needed before each RPC Reply message
1911  * @after: XDR words needed following each RPC Reply message
1912  *
1913  */
1914 static void gss_update_rslack(struct rpc_task *task, struct rpc_cred *cred,
1915 			      unsigned int before, unsigned int after)
1916 {
1917 	struct rpc_auth *auth = cred->cr_auth;
1918 
1919 	if (test_and_clear_bit(RPCAUTH_AUTH_UPDATE_SLACK, &auth->au_flags)) {
1920 		auth->au_ralign = auth->au_verfsize + before;
1921 		auth->au_rslack = auth->au_verfsize + after;
1922 		trace_rpcgss_update_slack(task, auth);
1923 	}
1924 }
1925 
1926 static int
1927 gss_unwrap_resp_auth(struct rpc_task *task, struct rpc_cred *cred)
1928 {
1929 	gss_update_rslack(task, cred, 0, 0);
1930 	return 0;
1931 }
1932 
1933 /*
1934  * RFC 2203, Section 5.3.2.2
1935  *
1936  *	struct rpc_gss_integ_data {
1937  *		opaque databody_integ<>;
1938  *		opaque checksum<>;
1939  *	};
1940  *
1941  *	struct rpc_gss_data_t {
1942  *		unsigned int seq_num;
1943  *		proc_req_arg_t arg;
1944  *	};
1945  */
1946 static noinline_for_stack int
1947 gss_unwrap_resp_integ(struct rpc_task *task, struct rpc_cred *cred,
1948 		      struct gss_cl_ctx *ctx, struct rpc_rqst *rqstp,
1949 		      struct xdr_stream *xdr)
1950 {
1951 	struct xdr_buf gss_data, *rcv_buf = &rqstp->rq_rcv_buf;
1952 	u32 len, offset, seqno, maj_stat;
1953 	struct xdr_netobj mic;
1954 	int ret;
1955 
1956 	ret = -EIO;
1957 	mic.data = NULL;
1958 
1959 	/* opaque databody_integ<>; */
1960 	if (xdr_stream_decode_u32(xdr, &len))
1961 		goto unwrap_failed;
1962 	if (len & 3)
1963 		goto unwrap_failed;
1964 	offset = rcv_buf->len - xdr_stream_remaining(xdr);
1965 	if (xdr_stream_decode_u32(xdr, &seqno))
1966 		goto unwrap_failed;
1967 	if (seqno != rqstp->rq_seqno)
1968 		goto bad_seqno;
1969 	if (xdr_buf_subsegment(rcv_buf, &gss_data, offset, len))
1970 		goto unwrap_failed;
1971 
1972 	/*
1973 	 * The xdr_stream now points to the beginning of the
1974 	 * upper layer payload, to be passed below to
1975 	 * rpcauth_unwrap_resp_decode(). The checksum, which
1976 	 * follows the upper layer payload in @rcv_buf, is
1977 	 * located and parsed without updating the xdr_stream.
1978 	 */
1979 
1980 	/* opaque checksum<>; */
1981 	offset += len;
1982 	if (xdr_decode_word(rcv_buf, offset, &len))
1983 		goto unwrap_failed;
1984 	offset += sizeof(__be32);
1985 	if (offset + len > rcv_buf->len)
1986 		goto unwrap_failed;
1987 	mic.len = len;
1988 	mic.data = kmalloc(len, GFP_NOFS);
1989 	if (!mic.data)
1990 		goto unwrap_failed;
1991 	if (read_bytes_from_xdr_buf(rcv_buf, offset, mic.data, mic.len))
1992 		goto unwrap_failed;
1993 
1994 	maj_stat = gss_verify_mic(ctx->gc_gss_ctx, &gss_data, &mic);
1995 	if (maj_stat == GSS_S_CONTEXT_EXPIRED)
1996 		clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags);
1997 	if (maj_stat != GSS_S_COMPLETE)
1998 		goto bad_mic;
1999 
2000 	gss_update_rslack(task, cred, 2, 2 + 1 + XDR_QUADLEN(mic.len));
2001 	ret = 0;
2002 
2003 out:
2004 	kfree(mic.data);
2005 	return ret;
2006 
2007 unwrap_failed:
2008 	trace_rpcgss_unwrap_failed(task);
2009 	goto out;
2010 bad_seqno:
2011 	trace_rpcgss_bad_seqno(task, rqstp->rq_seqno, seqno);
2012 	goto out;
2013 bad_mic:
2014 	trace_rpcgss_verify_mic(task, maj_stat);
2015 	goto out;
2016 }
2017 
2018 static noinline_for_stack int
2019 gss_unwrap_resp_priv(struct rpc_task *task, struct rpc_cred *cred,
2020 		     struct gss_cl_ctx *ctx, struct rpc_rqst *rqstp,
2021 		     struct xdr_stream *xdr)
2022 {
2023 	struct xdr_buf *rcv_buf = &rqstp->rq_rcv_buf;
2024 	struct kvec *head = rqstp->rq_rcv_buf.head;
2025 	u32 offset, opaque_len, maj_stat;
2026 	__be32 *p;
2027 
2028 	p = xdr_inline_decode(xdr, 2 * sizeof(*p));
2029 	if (unlikely(!p))
2030 		goto unwrap_failed;
2031 	opaque_len = be32_to_cpup(p++);
2032 	offset = (u8 *)(p) - (u8 *)head->iov_base;
2033 	if (offset + opaque_len > rcv_buf->len)
2034 		goto unwrap_failed;
2035 
2036 	maj_stat = gss_unwrap(ctx->gc_gss_ctx, offset,
2037 			      offset + opaque_len, rcv_buf);
2038 	if (maj_stat == GSS_S_CONTEXT_EXPIRED)
2039 		clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags);
2040 	if (maj_stat != GSS_S_COMPLETE)
2041 		goto bad_unwrap;
2042 	/* gss_unwrap decrypted the sequence number */
2043 	if (be32_to_cpup(p++) != rqstp->rq_seqno)
2044 		goto bad_seqno;
2045 
2046 	/* gss_unwrap redacts the opaque blob from the head iovec.
2047 	 * rcv_buf has changed, thus the stream needs to be reset.
2048 	 */
2049 	xdr_init_decode(xdr, rcv_buf, p, rqstp);
2050 
2051 	gss_update_rslack(task, cred, 2 + ctx->gc_gss_ctx->align,
2052 			  2 + ctx->gc_gss_ctx->slack);
2053 
2054 	return 0;
2055 unwrap_failed:
2056 	trace_rpcgss_unwrap_failed(task);
2057 	return -EIO;
2058 bad_seqno:
2059 	trace_rpcgss_bad_seqno(task, rqstp->rq_seqno, be32_to_cpup(--p));
2060 	return -EIO;
2061 bad_unwrap:
2062 	trace_rpcgss_unwrap(task, maj_stat);
2063 	return -EIO;
2064 }
2065 
2066 static bool
2067 gss_seq_is_newer(u32 new, u32 old)
2068 {
2069 	return (s32)(new - old) > 0;
2070 }
2071 
2072 static bool
2073 gss_xmit_need_reencode(struct rpc_task *task)
2074 {
2075 	struct rpc_rqst *req = task->tk_rqstp;
2076 	struct rpc_cred *cred = req->rq_cred;
2077 	struct gss_cl_ctx *ctx = gss_cred_get_ctx(cred);
2078 	u32 win, seq_xmit = 0;
2079 	bool ret = true;
2080 
2081 	if (!ctx)
2082 		goto out;
2083 
2084 	if (gss_seq_is_newer(req->rq_seqno, READ_ONCE(ctx->gc_seq)))
2085 		goto out_ctx;
2086 
2087 	seq_xmit = READ_ONCE(ctx->gc_seq_xmit);
2088 	while (gss_seq_is_newer(req->rq_seqno, seq_xmit)) {
2089 		u32 tmp = seq_xmit;
2090 
2091 		seq_xmit = cmpxchg(&ctx->gc_seq_xmit, tmp, req->rq_seqno);
2092 		if (seq_xmit == tmp) {
2093 			ret = false;
2094 			goto out_ctx;
2095 		}
2096 	}
2097 
2098 	win = ctx->gc_win;
2099 	if (win > 0)
2100 		ret = !gss_seq_is_newer(req->rq_seqno, seq_xmit - win);
2101 
2102 out_ctx:
2103 	gss_put_ctx(ctx);
2104 out:
2105 	trace_rpcgss_need_reencode(task, seq_xmit, ret);
2106 	return ret;
2107 }
2108 
2109 static int
2110 gss_unwrap_resp(struct rpc_task *task, struct xdr_stream *xdr)
2111 {
2112 	struct rpc_rqst *rqstp = task->tk_rqstp;
2113 	struct rpc_cred *cred = rqstp->rq_cred;
2114 	struct gss_cred *gss_cred = container_of(cred, struct gss_cred,
2115 			gc_base);
2116 	struct gss_cl_ctx *ctx = gss_cred_get_ctx(cred);
2117 	int status = -EIO;
2118 
2119 	if (ctx->gc_proc != RPC_GSS_PROC_DATA)
2120 		goto out_decode;
2121 	switch (gss_cred->gc_service) {
2122 	case RPC_GSS_SVC_NONE:
2123 		status = gss_unwrap_resp_auth(task, cred);
2124 		break;
2125 	case RPC_GSS_SVC_INTEGRITY:
2126 		status = gss_unwrap_resp_integ(task, cred, ctx, rqstp, xdr);
2127 		break;
2128 	case RPC_GSS_SVC_PRIVACY:
2129 		status = gss_unwrap_resp_priv(task, cred, ctx, rqstp, xdr);
2130 		break;
2131 	}
2132 	if (status)
2133 		goto out;
2134 
2135 out_decode:
2136 	status = rpcauth_unwrap_resp_decode(task, xdr);
2137 out:
2138 	gss_put_ctx(ctx);
2139 	return status;
2140 }
2141 
2142 static const struct rpc_authops authgss_ops = {
2143 	.owner		= THIS_MODULE,
2144 	.au_flavor	= RPC_AUTH_GSS,
2145 	.au_name	= "RPCSEC_GSS",
2146 	.create		= gss_create,
2147 	.destroy	= gss_destroy,
2148 	.hash_cred	= gss_hash_cred,
2149 	.lookup_cred	= gss_lookup_cred,
2150 	.crcreate	= gss_create_cred,
2151 	.info2flavor	= gss_mech_info2flavor,
2152 	.flavor2info	= gss_mech_flavor2info,
2153 };
2154 
2155 static const struct rpc_credops gss_credops = {
2156 	.cr_name		= "AUTH_GSS",
2157 	.crdestroy		= gss_destroy_cred,
2158 	.cr_init		= gss_cred_init,
2159 	.crmatch		= gss_match,
2160 	.crmarshal		= gss_marshal,
2161 	.crrefresh		= gss_refresh,
2162 	.crvalidate		= gss_validate,
2163 	.crwrap_req		= gss_wrap_req,
2164 	.crunwrap_resp		= gss_unwrap_resp,
2165 	.crkey_timeout		= gss_key_timeout,
2166 	.crstringify_acceptor	= gss_stringify_acceptor,
2167 	.crneed_reencode	= gss_xmit_need_reencode,
2168 };
2169 
2170 static const struct rpc_credops gss_nullops = {
2171 	.cr_name		= "AUTH_GSS",
2172 	.crdestroy		= gss_destroy_nullcred,
2173 	.crmatch		= gss_match,
2174 	.crmarshal		= gss_marshal,
2175 	.crrefresh		= gss_refresh_null,
2176 	.crvalidate		= gss_validate,
2177 	.crwrap_req		= gss_wrap_req,
2178 	.crunwrap_resp		= gss_unwrap_resp,
2179 	.crstringify_acceptor	= gss_stringify_acceptor,
2180 };
2181 
2182 static const struct rpc_pipe_ops gss_upcall_ops_v0 = {
2183 	.upcall		= gss_v0_upcall,
2184 	.downcall	= gss_pipe_downcall,
2185 	.destroy_msg	= gss_pipe_destroy_msg,
2186 	.open_pipe	= gss_pipe_open_v0,
2187 	.release_pipe	= gss_pipe_release,
2188 };
2189 
2190 static const struct rpc_pipe_ops gss_upcall_ops_v1 = {
2191 	.upcall		= gss_v1_upcall,
2192 	.downcall	= gss_pipe_downcall,
2193 	.destroy_msg	= gss_pipe_destroy_msg,
2194 	.open_pipe	= gss_pipe_open_v1,
2195 	.release_pipe	= gss_pipe_release,
2196 };
2197 
2198 static __net_init int rpcsec_gss_init_net(struct net *net)
2199 {
2200 	return gss_svc_init_net(net);
2201 }
2202 
2203 static __net_exit void rpcsec_gss_exit_net(struct net *net)
2204 {
2205 	gss_svc_shutdown_net(net);
2206 }
2207 
2208 static struct pernet_operations rpcsec_gss_net_ops = {
2209 	.init = rpcsec_gss_init_net,
2210 	.exit = rpcsec_gss_exit_net,
2211 };
2212 
2213 /*
2214  * Initialize RPCSEC_GSS module
2215  */
2216 static int __init init_rpcsec_gss(void)
2217 {
2218 	int err = 0;
2219 
2220 	err = rpcauth_register(&authgss_ops);
2221 	if (err)
2222 		goto out;
2223 	err = gss_svc_init();
2224 	if (err)
2225 		goto out_unregister;
2226 	err = register_pernet_subsys(&rpcsec_gss_net_ops);
2227 	if (err)
2228 		goto out_svc_exit;
2229 	rpc_init_wait_queue(&pipe_version_rpc_waitqueue, "gss pipe version");
2230 	return 0;
2231 out_svc_exit:
2232 	gss_svc_shutdown();
2233 out_unregister:
2234 	rpcauth_unregister(&authgss_ops);
2235 out:
2236 	return err;
2237 }
2238 
2239 static void __exit exit_rpcsec_gss(void)
2240 {
2241 	unregister_pernet_subsys(&rpcsec_gss_net_ops);
2242 	gss_svc_shutdown();
2243 	rpcauth_unregister(&authgss_ops);
2244 	rcu_barrier(); /* Wait for completion of call_rcu()'s */
2245 }
2246 
2247 MODULE_ALIAS("rpc-auth-6");
2248 MODULE_LICENSE("GPL");
2249 module_param_named(expired_cred_retry_delay,
2250 		   gss_expired_cred_retry_delay,
2251 		   uint, 0644);
2252 MODULE_PARM_DESC(expired_cred_retry_delay, "Timeout (in seconds) until "
2253 		"the RPC engine retries an expired credential");
2254 
2255 module_param_named(key_expire_timeo,
2256 		   gss_key_expire_timeo,
2257 		   uint, 0644);
2258 MODULE_PARM_DESC(key_expire_timeo, "Time (in seconds) at the end of a "
2259 		"credential keys lifetime where the NFS layer cleans up "
2260 		"prior to key expiration");
2261 
2262 module_init(init_rpcsec_gss)
2263 module_exit(exit_rpcsec_gss)
2264